In many systems such as mobile phones, cellular base stations, authentication tokens and banking data centres it is important to maintain security over the operating environment of data processors.
A number of measures are available to help maintain the security of data processing systems. For example, firewalls can be implemented to block unwanted communication traffic, monitoring systems such as anti-virus software can be used to detect malicious activity and operating systems can be configured to partition memory so that a process running on a computer can only access areas of memory that are designated to it. These systems suffer from a number of problems. First, many modern computing architectures are of the system-on-chip (SoC) design, in which multiple data processing entities are implemented on a single integrated circuit chip. This can improve processing speed and efficiency because the entities can communicate between each other without data leaving the chip. However, since such data does not leave the chip it is difficult to monitor the data using existing security systems: for example to check for attempts to hack the system by enabling a process to gain access to data that it is not authorised to access or manipulate the operation of another process. Second, because many security systems are transparent to the end user but are implemented remotely from the user's data processing device it is difficult for the user to be certain that the security systems are operating effectively. For example, when a user is communicating normally through a firewall the user has no way of knowing whether the firewall is actually operating to block any malicious communications.
Some approaches involve the use of a secure monitor or hypervisor implemented in software. The hypervisor checks for a non-secure entity attempting to access a secure entity. The hypervisor resides in the target system's memory space. Other systems involve a software agent which runs in the background and scans files and other objects for data that matches known signatures of malware. These approaches have the disadvantage of consuming resources of the target system in such a way as to reduce the system's performance for user-level tasks. They may also be obtrusive to the user.
Further examples of approaches to securing data processors are discussed in “An Analysis of Secure Processor Architectures”, S. Chhabra et al., Transactions on Computations Sciences VII, Lecture Notes in Computer Science, Vol. 5890, pp 101-121 (www.ece.ncsu.edu/arpers/Papers/tcs-survey.pdf).
ARM TrustZone is a security system that is implemented partly in hardware and partly in software. An integrated circuit's interconnects are configured to be capable of supporting a sideband signal for signalling a processor to switch between secure and non-secure domains. Software is then used to manage the integrated circuit so as to transition the processor between operating in a normal (non-secure) environment and a secure environment. Because systems of this nature rely on software running on the integrated circuit it can be difficult to guarantee that the operations of the integrated circuit are fully supervised by the security system.
The UEFI secure boot protocol blocks the execution of operating system loaders that do not have a valid cryptographic signature. This protocol can be used to enforce the loading of a trusted operating system, but it does not directly enforce the security of higher level operations as would be required if it were to supervise the security of arbitrary software running on the operating system.
GB 2 500 441 and GB 2 501 333 describe aspects of systems for assisting in the debugging of an SoC. Such debugging systems can monitor transactions between processing entities on the SoC and can provide reports to an on-chip or off-chip analysis unit when transactions matching predetermined criteria take place.
There is a need for an improved mechanism for securing the operation of data processing devices.